From de2e79c58fdd9aea3616ab8c4e557bbb924f7723 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Fri, 14 Apr 2017 15:55:20 -0700
Subject: [PATCH] Give apps, cameraserver, and system_server access to sync
 fences.

Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f
---
 private/app.te           | 3 +++
 private/system_server.te | 3 +++
 public/cameraserver.te   | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/private/app.te b/private/app.te
index c3f44ddb9..d6dc48cbb 100644
--- a/private/app.te
+++ b/private/app.te
@@ -177,6 +177,9 @@ binder_call(appdomain, ephemeral_app)
 # TODO(b/34454312): only allow getting and talking to mediacodec service
 hwbinder_use(appdomain)
 
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
 # Already connected, unnamed sockets being passed over some other IPC
 # hence no sock_file or connectto permission. This appears to be how
 # Chrome works, may need to be updated as more apps using isolated services
diff --git a/private/system_server.te b/private/system_server.te
index 2711a8c1a..e200bef2d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -199,6 +199,9 @@ hal_client_domain(system_server, hal_wifi)
 
 hal_client_domain(system_server, hal_wifi_supplicant)
 
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
 # Talk to tombstoned to get ANR traces.
 unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
 
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 46083f5cc..2a243cc5e 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -14,6 +14,9 @@ hal_client_domain(cameraserver, hal_graphics_allocator)
 
 allow cameraserver ion_device:chr_file rw_file_perms;
 
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
 add_service(cameraserver, cameraserver_service)
 allow cameraserver appops_service:service_manager find;
 allow cameraserver audioserver_service:service_manager find;
-- 
GitLab